Approved  for  Public  Release;  Distribution  Unlimited 
Case  #04-0905 


THE  SHAPES  OF  BUNDLES 

SHADDIN  F.  DOGHMI,  JOSHUA  D.  GUTTMAN,  AND  F.  JAVIER  THAYER 


Contents 

1 .  Introduction  2 

2.  Background  2 

2.1.  Protocols  2 

2.2.  An  Example:  The  Yahalom  Protocol  3 

2.3.  Occurrences  and  Sets  4 

2.4.  Unification  5 

3.  Skeletons  5 

3.1.  Homomorphisms  6 

3.2.  Collapsing  pre-Skeletons  7 

3.3.  Structure  of  Homomorphisms  between  Skeletons  8 

3.4.  Primitive  pre-Skeletons  8 

3.5.  Substructures,  Liveness  10 

4.  Operations  on  pre-Skeletons  10 

4.1.  Joins  10 

4.2.  Order  Refinement  11 

4.3.  Augmentations  11 

5.  Safety  12 

5.1.  Establishing  Safety  13 

5.2.  Safe  Keys  in  Yahalom  14 

5.3.  Providing  Protection  for  Atoms  15 

6.  The  Authentication  Tests  15 

6.1.  The  Outgoing  Authentication  Test  15 

6.2.  Outgoing  Tests  for  the  Yahalom  Protocol  16 

6.3.  The  Incoming  Authentication  Test  17 

6.4.  Incoming  Tests  for  the  Yahalom  Protocol  17 

7.  The  Authentication  Tests  and  Homomorphisms  17 

7.1.  Outgoing  Tests  and  Homomorphisms  17 

7.2.  Incoming  Tests  and  Homomorphisms  19 

8.  Conclusion  19 

References  19 

Appendix  A.  Strand  Spaces  20 

Acknowledgments.  This  work  was  supported  by  the  National  Security  Agency. 


1 


Report  Documentation  Page 

Form  Approved 

0MB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  0MB  control  number. 

1.  REPORT  DATE 

2004 

2.  REPORT  TYPE 

3.  DATES  COVERED 

00-00-2004  to  00-00-2004 

4.  TITLE  AND  SUBTITLE 

5a.  CONTRACT  NUMBER 

The  Shapes  of  Bundles 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

MITRE  Corporation, 202  Burlington  Road, Bedford,MA, 01730- 1420 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR’S  ACRONYM(S) 

11.  SPONSOR/MONITOR’S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distrihution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 
ABSTRACT 

18.  NUMBER 
OF  PAGES 

20 

19a.  NAME  OF 

RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


2 


Version  of:  August  31,  2004 


1.  Introduction 

When  analyzing  cryptographic  protocols,  one  often  finds  that  there  is  really  only 
one  thing  that  can  happen  in  a  run  of  the  protocol,  or  at  worst  a  small  number  of 
different  things.  For  instance,  every  execution  of  the  familiar  Needham-Schroeder- 
Lowe  protocol  [6,  5]  consists  of  a  matching  pair  consisting  of  a  run  of  the  initiator 
and  one  of  the  responder;  no  other  interaction  is  possible.  We  call  such  a  collection 
of  local  executions  by  honest  principals  a  shape.  In  this  paper,  we  use  the  strand 
space  theory  [4]  to  develop  a  framework  for  explaining  observations  such  as  this 
one,  that  most  protocols  allow  very  few  shapes,  and  frequently  only  one. 

We  view  protocol  analysis  as  a  process  of  assembling  different  instances  of  the 
roles  of  the  protocol.  Perhaps  one  starts  with  a  single  execution  of  a  single  role. 
This  execution  provides  the  “point  of  view”  of  the  analysis:  Suppose  the  initiator 
has  sent  and  received  the  following  messages;  what  other  principals  must  have  had 
runs?  Having  started  with  a  single  run,  one  would  like  to  add  instances  of  the  roles 
of  the  protocol,  suitably  instantiated,  to  explore  what  explanations  are  possible 
for  the  experience  of  the  original  principal.  If  in  this  process  there  are  very  rarely 
essentially  different  choices  to  make,  then  there  will  be  very  few  shapes  to  be  found 
at  the  leaves  of  the  exploration. 

In  carrying  out  this  program,  we  have  taken  an  algebraic  view.  We  define  a  notion 
of  homomorphism,  and  the  exploration  consists  of  applying  homomorphisms  of  a 
special  kind  we  call  augmentations.  The  algebraic  framework  has  turned  out  to  be 
highly  suggestive  for  the  development  of  our  theory. 

2.  Background 

A  set  A  contains  the  messages  (“terms”)  to  be  exchanged.  They  are  freely 
generated  from  atoms  of  several  disjoint  types  (including  names,  other  texts,  nonces, 
and  keys)  by  concatenation  and  encryption,  in  which  the  second  argument  is  a  key. 
A  substitution  is  a  type-respecting  function  on  atoms  which  differs  from  the  identity 
only  for  a  finite  number  of  arguments;  we  regard  this  finite  set  of  arguments  as  the 
domain  of  the  substitution.  Applying  a  substitution  a  to  a  term  t,  with  result 
t  ■  a,  is  defined  as  expected.  A  strand  is  a  sequence  of  message  transmissions  and 
receptions,  and  we  refer  to  the  T''  event  on  s  as  s  J,  i.  Message  transmission  has 
positive  sign,  and  reception  has  a  negative  sign.  Application  is  lifted  to  strands 
pointwise,  and  it  is  lifted  to  sets  of  terms  pointwise.  See  Appendix  A  for  additional 
definitions. 

2.1.  Protocols.  We  start  by  defining  how  we  regard  a  protocol. 

Definition  2.1  (Protocol).  A  protocol  H  consists  of  (1)  a  finite  set  of  strands  called 
the  roles  of  A;  (2)  for  each  role  r  G  A,  two  sets  of  atoms  Ur,nr  giving  origination 
data  for  r;  and  (3)  a  number  of  key  function  symbols,  and  for  each  role  r  a  set 
of  0  or  more  key  constraints,  i.e.  equations  involving  these  function  symbols  and 
atoms  occurring  in  r.  The  regular  strands  of  A,  written  Sn,  are  all  strands  s  of 
the  form  s  =  r  ■  a  for  some  role  r  €  H. 

A  bundle  over  H  is  o  bundle  (Definition  A. 2)  in  which  (1)  every  strand  is  either  a 
penetrator  strand  (Definition  A. 4)  or  a  regular  strand  in  Sn,"  (2a)  when  B  contains 
nodes  of  s  =  r  •  a,  then  for  a  G  Ur  ■  a,  a  originates  at  most  once  in  B;  (2b)  when 
B  contains  nodes  of  s  =  r  ■  a,  then  for  a  G  Ur  •  a,  a  does  not  originate  in  B;  and 
(3)  the  key  function  symbols  may  be  interpreted  by  injective  functions  with  disjoint 
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iy  ^\B^K^Na^  iV4K.  -  {|A  "  KWk^ 
{\A  ''  K\^Kb  '' 


-►  • 


Figure  1 .  The  Yahalom  Protocol 


range,  such  that  for  each  regular  strand  s  =  r  ■  a,  each  key  constraint  for  r  is  true 
under  a. 

Origination  data  Ur,nr  is  used  to  indicate  parameters  of  a  role  that  all  par¬ 
ticipants  in  the  protocol  can  expect  to  be  uniquely  originating  or  non-originating 
(respectively  for  Ur  and  n^).  For  instance,  if  a  protocol  has  a  key  server  role  r, 
generating  a  session  key  K,  all  participants  in  the  protocol  can  assume  that  a  given 
session  key  will  be  generated  at  most  once,  as  can  be  recorded  by  putting  Ur  =  {K}. 
If  a  protocol  has  a  certification  authority  role  r,  all  participants  in  the  protocol  can 
assume  that  the  principal  C  active  in  that  role  has  an  uncompromised  signing  key 
as  can  be  recorded  by  putting  For  roles  not  specially  trusted  in 

the  protocol,  typically  Ur  =  Ur  =  0. 

The  key  function  symbols  are  used  to  represent  the  relations  between  parameters 
representing  principals  and  parameters  representing  their  keys.  For  instance,  “the 
public  encryption  key  of”  relates  a  principal  A  to  the  key  that  should  be  used  to 
encrypt  data  for  safe  delivery  to  A,  and  “the  long  term  shared  key  of”  may  relate 
a  pair  of  principals  A,B  to  a,  key  they  use  to  agree  on  session  keys.  The  condition 
that  an  interpretation  satisfies  all  the  constraints  means  that  in  a  bundle  for  11, 
there  is  a  compatible  choice  of  values  for  these  keys,  across  all  regular  strands. 

2.2.  An  Example:  The  Yahalom  Protocol.  The  Yahalom  protocol  [1]  is  a 
protocol  that  assumes  that  principals  share  long-term  symmetric  keys  with  a  key 
server.  The  key  server  constructs  fresh  session  keys  which  it  distributes  to  principals 
on  request.  The  protocol  execution  appears  in  Figure  1.  Observe  here  that  the  term 
{\A  "  K\^Kb  is  sent  by  the  server  S  to  the  initiator  A,  who  does  not  possess  Kb, 
but  merely  retransmits  it  for  the  responder  B.  We  choose  to  regard  this  as  merely 
an  indirect  way  for  S  to  cause  this  term  eventually  to  reach  B.  We  therefore  regard 
the  protocol  as  taking  the  form  shown  in  Figure  2.  Many  protocols  involve  message 
components  that  are  forwarded  in  this  way,  and  clearly  we  can  always  revise  them 
as  we  have  just  done  in  this  case  to  transmit  the  component  separately,  as  justified 
in  [4,  Section  5.1.3]. 

The  revised  Yahalom  protocol  contains  three  roles,  namely  the  initiator,  the 
responder,  and  the  server.  The  behavior  of  the  initiator  consists  of  a  transmission 
followed  by  a  reception  and  another  transmission: 


+A^Na,  -{\B^  N,\}k',  +{|iV4ic 


4 


Version  of:  August  31,  2004 


Figure  2.  The  Yahalom  Protocol  Revised 


The  responder’s  behavior  starts  with  a  message  reception,  followed  by  a  transmis¬ 
sion  and  two  receptions: 

-A^Na,  +B^  {\A^  -{\A^K\}k', 

Finally,  the  server  receives  one  message  and  then  transmits  two: 

-S'-  {\A^  Na^  NbljK",  +{\B''  K'-  Na'-  Nb\}K',  +U''K\^K" 

A  principal  interacting  with  the  server  trusts  the  server  to  maintain  a  valid,  well- 
protected  key  with  each  other  principal  it  would  like  to  interact  with.  Thus,  when 
we  add  a  server  strand,  we  will  need  to  assume  that  the  long  term  keys  of  both 
principals  are  uncompromised;  hence  ns  =  {K',K"}  for  the  server  role  S.  The 
origination  data  specifying  non-origination  for  the  other  roles  is  empty.  More¬ 
over,  the  key  server  is  trusted  always  to  generate  fresh  session  keys,  so  that  for  the 
server  role  S,  us  =  {K}- 

The  only  key  function  symbol,  “the  long  term  server  key  of,”  we  may  write  key(P) 
as  a  function  of  a  principal  P.  By  contrast,  K',K"  are  ordinary  variables.  The 
constraint  on  the  initiator  role  is  key(A)  =  K';  the  constraint  on  the  responder  role 
is  key(i3)  =  K';  the  server  role  has  two  constraints  key(A)  =  K'  and  key(i3)  =  K” . 

2.3.  Occurrences  and  Sets.  We  view  each  term  as  an  abstract  syntax  tree,  in 
which  atoms  are  leaves  and  internal  nodes  are  either  concatenations  g  "  h,  where 
g  and  h  label  the  child  nodes,  or  else  encryptions  {ItHic,  where  t  and  K  label  the 
child  nodes.  A  branch  through  the  tree  traverses  a  key  child  if  the  branch  traverses 
an  encryption  and  then  traverses  the  second  child  (the  key)  labeled  K. 

An  occurrence  of  to  in  t  is  a  branch  within  the  tree  for  t  that  ends  at  a  node 
labeled  to  without  traversing  a  key  child.  A  ms e  of  AT  in  t  (for  encryption)  is  a 
branch  within  the  tree  for  t  that  ends  at  a  node  labeled  K  and  that  has  traversed 
a  key  child.  We  say  that  to  is  a  subterm  of  t  (written  to  C  t;  see  Definition  A.l, 
Clause  2)  if  there  is  an  occurrence  of  to  within  t.  When  S'  is  a  set  of  terms,  to 
occurs  only  within  S  in  t  if,  in  the  abstract  syntax  tree  of  t,  every  occurrence  of  to 
traverses  a  node  labeled  with  some  ti  €  S  (properly)  before  reaching  to.  Term  to 
occurs  outside  S  in  t  if  to  C  t  but  to  does  not  occur  only  within  S  in  t. 

Definition  2.2.  If  S  is  a  set  of  terms,  then  S  ■  a~^  =  {t-  t  ■  a  G  S}. 

Observe  that  (S  •  a“^)  •  a  =  S,  while  S  C  (S  •  a)  •  a~^ . 
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Proposition  2.3.  Suppose  a  occurs  only  within  S  in  t,  and  suppose  that  whenever 
b  ■  a  =  a  ■  a,  then  b  occurs  only  within  {S  •  a)  ■  a~^  in  t.  Then  a  •  a  occurs  only 
within  S  •  a  in  t  •  a. 

In  particular,  when  b  does  not  occur  in  t,  then  the  conclusion  holds. 

Proposition  2.4.  If  a  occurs  outside  S  ■  a~^  in  t,  then  a  •  a  occurs  outside  S  in 
t  ■  a. 

2.4.  Unification.  In  this  paper  a  substitution  is  a  mapping  which  associates  atoms 
to  atoms  of  the  same  type.  In  this  context  unification  is  much  simpler.  A  unifier 
for  terms  t,  s  is  a  substitution  a  such  that  s  ■  a  =  t  ■  a.  A  most  general  unifier 
(MGU)  for  s,  t  is  a  unifier  a  such  that  for  any  unifier  a'  there  is  a  substitution  (3 
such  that  a'  =  fSo  a.  /3  is  uniquely  determined  on  the  range  of  a.  If  a  unifier  exists, 
so  does  a  most  general  one. 

If  t  is  a  term,  the  tree(t)  is  the  parse  tree  of  t  in  which  each  leaf  node  a  is  replaced 
with  with  its  type.  Terms  t,  s  are  unifiable  iff  tree(t)  =  tree(s).  Hence: 

Proposition  2.5.  Terms  t,  t'  are  unifiable  iff  for  every  a,  t-a  and  t'-a  are  unifiable. 

This  fact  is  clearly  not  true  for  unification  in  general,  where  a  substitution  may 
replace  a  variable  with  a  compound  term. 

Definition  2.6.  A  substitution  a  is  a  representation  choice  for  a  finite  set  S  of 
atoms  if  a  is  idempotent  and  a  is  the  identity  outside  S.  It  is  a  pure  renaming 
from  S'o  to  Si  if  it  is  a  bijection  from  Si  to  Si. 

Proposition  2.7.  Ifao  is  a  representation  choice  for  S  and  ai  is  a  representation 
choice  for  S  •  a^,  then  Ui  o  oq  is  a  representation  choice  for  S.  Pure  renamings  are 
closed  under  composition. 

Every  substitution  a  can  be  written  in  the  form  ai  o  ao  where  oq  is  a  represen¬ 
tation  choice  on  S,  ai  is  a  pure  renaming  from  S  •  ao  to  S  •  a,  and  S  =  {a:  a  -  a  ^ 
aV  3b  .  b  ^  a  A  b  ■  a  =  a}. 

When  f3  =  a' oa  we  say  that  /3  coarsens  a  and  a  refines  ft.  “Refines”  is  a  preorder; 
it  becomes  a  partial  order  if  we  identify  substitutions  differing  by  a  renaming. 

3.  Skeletons 

A  skeleton  is  essentially  the  regular  part  of  a  bundle,  annotated  with  a  set  of 
values  assumed  to  originate  uniquely  and  a  set  of  values  assumed  non-originating. 

Definition  3.1  (Skeleton).  When  R  is  a  set  of  strands,  h:  R  ^  N  is  a  height 
function  for  R  when  s  €  R  implies  h{s)  <  length(s). 

A  quintuple  A  =  (i?,  h,  A,  non,  unique)  is  a  pre-skeleton  if  (1)  h  is  a  height  func¬ 
tion  for  R;  and  (2)  ^  is  a  weak  partial  ordering  on  pairs  (s,i)  where  s  €  R  and 
I  <i  <  h{s)  that  is  compatible  with  the  strand  order.^ 

The  nodes  o/A  are  the  pairs  n  =  (s,i)  where  s  €  R  and  1  <i<  h{s).  We  write 
•si*  for  the  node  n  =  (s,  i) .  An  atom  a  occurs  in  A  if  it  occurs  in  term{n)  for  some 
n  €  A.  K  is  used  in  A  */{|t[}ic  C  term{n)  or  {|t|}ic-i  C  term{n)  for  some  n  G  A. 
A  mentions  a  if  either  a  occurs  in  it  or  a  is  used  in  it.  We  indicate  components  of 
A  by  subscripting,  writing  e.g.  ^a- 

^“Compatible  with  the  strand  order”  means  (s,i)  (s,j)  when  s  £  it  and  I  <  i  <  j  <  h{s). 
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A  is  a  skeleton  if  in  addition  (3)  unique  is  a  set  of  atoms,  where  a  G  unique 
implies  a  occurs  in  {R,h),  and  moreover  a  originates  on  at  most  one  n  in  {R,h); 
and  (4)  non  is  a  set  of  keys  such  that  K  G  non  implies  K  does  not  occur  in  {R,h) 
but  K  is  used  in  {R,  h). 

A  bundle  B  realizes  a  skeleton  A  if  (1)  the  regular  nodes  of  B  are  precisely  the 
nodes  of  A;  (2)  whenever  no,  ni  are  nodes  of  A,  no  ni  if  and  only  if  no  ni; 
(3)  if  a  G  unique,  then  a  is  uniquely  originating  in  B;  and  (4)  if  a  G  non,  then  a  is 
non- originating  in  B.  A  is  realizable  if  there  exists  a  bundle  B  that  realizes  it. 

If  B  is  a  bundle,  then  skeleton(,8)  is  the  skeleton  A  containing  the  regular  nodes 
of  B,  ordered  as  in  B,  where  unique,^  is  the  set  of  values  that  originate  uniquely 
and  on  a  regular  node  of  B,  and  nonA  is  the  set  of  keys  K  such  that  K  originates 
nowhere  in  B  but  K  is  used  on  a  regular  node  of  B. 

Proposition  3.2.  If  B  is  a  bundle,  then  B  realizes  skeleton(,B). 

3.1.  Homomorphisms.  A  substitution,  if  it  is  injective  on  atoms  occurring  in 
A,  is  simply  a  renaming.  If  it  maps  two  atoms  x,  y  to  the  same  value,  then  it 
may  disrupt  the  origination  properties  of  the  skeleton.  For  instance,  ii  x  G  nonA 
and  y  originates  somewhere,  then  the  substitution  cannot  succeed.  If  x  G  uniqueA 
but  y  also  has  a  point  of  origination,  then  the  substitution  succeeds  and  yields  a 
skeleton  as  result  only  if  y’s  point  of  origination  can  be  identified  with  x’s.  The 
terms  at  these  nodes  must  unify.  If  the  strands  that  these  nodes  lie  on  have  other 
parameters,  then  the  identification  cascades,  causing  other  identifications  also.  In 
defining  homomorphisms,  we  use  a  function  (f  to  summarize  the  effect  of  any  node 
identifications. 

Definition  3.3  (Homomorphism).  Let  Ag  and  Ai  be  pre- skeletons.  Let  (f>  be  a 
function  from  the  nodes  of  Aq  to  nodes  of  Ai.  We  say  that  substitutions  a,  a' 
agree  on  the  domain  of  ^  if  a  •  a  =  a  •  a'  for  every  a  mentioned  in  Ag.  We  write 
[4i,a]  to  refer  to  the  set  of  pairs  with  first  component  </>  and  second  component  any 
substitution  a'  that  agrees  with  a  on  the  domain  of  (f>. 

H  =  [(j),  a]  is  a  homomorphism  from  Ag  to  Ai  if: 

(1)  term{4>{n))  =  term{n)  •  a  for  all  n  G  Ag;  moreover  whenever  n  ^  n'  and 

n'  G  Ag,  (f){n)  4>W)- 

(2)  If  n  ^Ao  then  4>{n)  ^Ai  ^(m). 

(3)  uniqueAg  •  a  C  uniqueAj . 

(4)  noHAo  •  a  C  nonAi . 

We  write  i? :  Ag  Ai  to  indicate  that  H  is  a  homomorphism  from  Ag  to  Ai. 

The  equality  condition  for  H  =  H'  is  intended  to  ensure  that  homomorphisms 
are  not  sensitive  to  the  behavior  of  the  substitution  on  atoms  that  play  no  role  in 
the  source  pre-skeleton. 

Definition  3.4  (Degeneracy).  A  substitution  a  is  degenerate  for  A  if  there  are 
distinct  atoms  a,b  and  a  strand  s  where  (1)  a  G  uniqueA  originates  at  s  [  i  in  A, 
(2)  b  occurs  on  s  I  j  for  j  <  i,  and  (3)  a  ■  a  =  b  ■  a. 

H  =  [(j),  a]:  Aq  A  is  degenerate  if  a  is  degenerate  for  Ag. 

Degeneracy  is  of  course  preserved  by  coarsening: 

Proposition  3.5.  If  a  is  degenerate  for  A  then  so  is  a'  o  a  for  any  substitution 
a' .  If  H  is  degenerate,  then  so  is  H'  o  H. 
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Proposition  3.6.  If  a  is  injective  and  H  =  [0,  a]  is  a  homomorphism,  then  H  is 
a  non-degenerate  homomorphism. 

When  a  is  a  substitution  and  A  is  a  pre-skeleton,  A  ©  a  is  the  pre-skeleton  Ai 
such  that 

(1)  i?Ai  =  Ra  ■  a,  and  hAi(s  •  a)  =  h^is); 

(2)  s  ■  a  I  i  ©Ai  s'  •  a  i  j  iff  s  J,  i  ©A  s'  i  j; 

(3)  unique^^  =  unique,^  •  a;  and 

(4)  nonAi  =  nonA  •  a. 

A  ©  a  may  fail  to  be  a  skeleton,  even  when  A  is  a  skeleton,  in  two  ways: 

(1)  elements  of  nonAoa  may  have  points  of  origination,  or 

(2)  elements  of  unique^Qo,  may  have  multiple  points  of  origination. 

When  elements  of  noriAQa  have  points  of  origination,  no  extension  of  a  can  repair 
this.  However,  multiple  points  of  origination  can  sometimes  be  identified.  We 
consider  next  how  to  factor  the  strands,  while  possibly  coarsening  a,  to  identify 
these  points  of  origination. 

3.2.  Collapsing  pre- Skeletons.  If  A  is  a  pre-skeleton  s  and  s'  are  strands  of  A, 
then  we  write  so  s'  if  there  is  an  a  G  unique,^  which  originates  on  both  s  and  s'. 
If  n,  n'  are  nodes  of  A  we  write  non',  if  there  are  strands  s,  s'  and  an  integer  i 
such  that  n  =  s  I  i,  n'  =  s'  I  i,  and  s  o  s'.  The  relation  o  on  nodes  or  on  strands 
may  fail  to  be  transitive.  For  instance,  if  sq  and  si  both  have  points  of  origination 
for  a  G  unique,  while  si  and  S2  both  have  points  of  origination  for  b  G  unique,  then 
So  o  Si  and  Si  o  S2  without  necessarily  sq  o  S2. 

If  A  is  a  pre-skeleton  such  that  no  a  G  nonA  is  originating  and  s  o  s'  implies 
s  =  s',  then  A  is  a  skeleton.  The  following  fact  will  be  used  later: 

Proposition  3.7.  If  A  is  a  pre-skeleton,  Ai  a  skeleton  and  =  [0,  a]  :  A  ^  Ai  a 
non-degenerate  homomorphism.  If  non'  then  (jin)  =  0(n'). 

In  the  next  proposition  we  try  to  identify  pre-skeletons  which  aside  from  failure 
of  unique  origination  are  nearly  skeletons  in  the  sense  that  the  violating  strands 
are  essentially  duplicates  of  each  other. 

Proposition  3.8.  Suppose  A  is  a  pre-skeleton  with  the  following  properties: 

(1)  No  element  o/ nonA  is  originating  in  A. 

(2)  If  s,  s'  are  strands  of  A  such  that  so  s'  then  for  i  <  min(/i(s), /i(s')), 

term{s  i  i)  =  term{s'  [  i)  with  matching  direction. 

In  particular,  o  is  an  equivalence  relation  on  strands  and  nodes. 

(3)  If  ni  :<  nil  o  n2  ^  ^  nT-k-i  o  ni,  then  ni  o  mi  o  712  •  •  •  mk-i  o  ni. 

Then  we  can  collapse  A  into  a  skeleton  A^  by  identifying  nodes  n,  n'  such  that  non' . 
The  partial  order  ©a^  *5  defined  by  m  ©a^  w'  there  are  nodes  n,  n'  in  A  such  that 
n  ©A  n' ,  m  is  the  o-equivalence  class  of  n  and  m'  is  the  o-equivalence  class  of  n' . 
The  identification  mapping  0  :  A  ^  A^  zs  such  that  (0,  id)  is  a  non-degenerate 
homomorphism. 

Proof.  By  Proposition  3.6,  it  is  non-degenerate  if  it  is  a  homomorphism  at  all.  The 
only  fact  which  needs  to  be  checked  for  this  is  that  A^  is  a  partial  order,  but  this 
is  immediate  from  (3).  □ 
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A  pre-skeleton  A  is  a  pseudo-skeleton  iff  the  conditions  of  Proposition  3.8  hold. 

Definition  3.9  (Substitution  acting  on  a  skeleton).  If  A  is  a  skeleton  and  a  is  a 
substitution  such  that  A© a  is  a  pseudo-skeleton,  then  we  define  A- a  to  be  (AQo)^; 
otherwise  it  is  undefined. 


3.3.  Structure  of  Homomorphisms  between  Skeletons. 


Proposition  3.10.  Suppose  A  is  a  pre-skeleton,  B  a  skeleton  and  H  =  [(p,  a]:  A  - 
B  a  homomorphism.  Then  AQ  a  is  a  pseudo-skeleton  and  H  is  the  composition 


(1) 


A 


[id. a]  .  [<^,icl] 

— >  A  ©  a  — !■ 


Moreover,  [(p,  id]  factors  through  the  canonical  map  A  ©  a  — >  (A  ©  a)o.  If  H  is 
non-degenerate,  then  so  is  [id, a]. 


Proof.  The  factorization  given  by  (1)  is  trivial.  We  show  A© a  is  a  pseudo-skeleton. 
Suppose  s,  s'  are  strands  of  A  ©  a  such  that  so  s' .  Since  B  is  a  skeleton 

(2)  term(s  •  a  I  i)  =  term(s'  •  a  I  i)  with  matching  direction. 

Now  we  need  to  show,  using  the  o  relation  within  A©a,  that  for  nodes  ni,mi,n2,  •  •  •  , 
in  A  if  ni  ^  mi  o  n2  ^  ^  Wfc-i  o  ni,  then  ni  o  TOi  o  n2  •  •  •  mk-i  o  ni.  Now  by 

Proposition  3.7,  (p{ni+i)  =  p{mi)  for  1  <  z  <  A:  —  1  and  so  by  acyclicity  of  B, 

(p{ni)  =  (p{mi)  =  (p{n2)  =  •  •  •  =  (p{mk-i) 

It  follows  that  the  offsets  of  ni,  mi,  n2,  •  •  •  ,  mfc-i  are  all  the  same  and  so  therefore, 
rzi  o  mi  for  1  <  z  <  fc  —  1.  This  fulfills  the  conditions  for  being  a  pseudo-skeleton. 
The  factorization  follows  by  definition  of  quotient. 

If  [id,  a]  is  degenerate,  then  by  Proposition  3.5,  so  is  H. 

□ 


3.4.  Primitive  pre-Skeletons.  Consider  a  general  pre-skeleton  A.  We  would  like 
to  know  whether  there  is  a  substitution  (3  such  that  A  ©  /3  is  a  pseudo-skeleton. 

Though  unification  applies  to  sets  of  term  pairs,  it  is  convenenient  to  extend  this 
idea  to  sets  of  strand  pairs.  If  A  is  a  skeleton  and  s,  s'  are  strands  of  A  then  a 
unifier  for  s,s'  is  a  susbtitution  a  such  that  for  z  <  min(ft,(s),  Az(s')), 

(3)  term(s  ■  a  [  i)  =  term(s^  •  a  i  i)  with  matching  direction. 

Definition  3.11.  A  pre-skeleton  A  is  primitive  ijf  for  all  strands  s,  s'  of  A  such 
that  so  s'  then  either 

(1)  s,  s'  are  not  unifiable; 

(2)  For  i  <  miii{h{s),h{.s')), 

term{s  i  z)  =  term{s'  J,  z)  with  matching  direction. 

If  A  is  a  pre-skeleton  A  (A)  is  the  set  of  all  pairs  (s,  s')  of  strands  in  A  such  that 
so  s'  and  s,  s'  are  unifiable.  We  also  write  s  ~  s'  if  Clause  2  holds  for  them,  and 
s  ~  as'  if  Clause  2  holds  for  s  •  a  and  s'  •  a. 

Theorem  3.12.  Let  A  be  a  pre-skeleton.  Then  there  is  a  substitution  a  such  that 

(1)  AQ  a  is  a  primitive  pre- skeleton 

(2)  a  is  universal  with  respect  to  this  property,  that  is  for  every  substitution  a' 
such  that  A©a'  is  primitive  then  there  is  a  substitution  7  such  that  a'  =  70a 
and  7  is  uniquely  determined  on  the  atoms  mentioned  in  A(A  ©  a). 
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Proof.  The  proof  of  existence  of  this  fact  requires  some  lemmas. 

Lemma  3.13.  Suppose  that  A  is  a  pre-skeleton.  Then  there  is  a  sequence  of  sub¬ 
stitutions  with  the  following  properties:  If  Aq  =  A  and  Ai  =  Ai_i  ©  Pi  for 

t  €  N,  then  for  all  i  €N,  Pi  is  a  MGU  for  A(Ai).  Moreover,  if  k  exceeds  1  plus  the 
number  of  strands  in  A,  P^  is  a  renaming,  in  fact  the  identity. 

Proof.  Since  a  unifiable  finite  set  of  strand  pairs  has  a  MGU,  the  existence  of  the 
sequence  follows  immediately  by  induction.  As  to  the  bound  on  k,  note 

that  for  any  set  X  and  sequence  of  partitions  Vi,V2,  -  ■  •  ,'Pk  of  A  where  Vi+i  is 
a  strict  coarsening  of  Vi,  then  k  <  card  A.  Applying  this  fact  to  the  equivalence 
relations  on  the  strands  of  A,  where  ac  =  Pi  o  Pi-i  o  ■  ■  ■  o  Pi,  it  follows  that 
the  equivalence  relations  ^ag  are  identical  for  £  >  card  A.  Therefore  Pi+i  is  a  pure 
renaming  on  the  atoms  of  Ai  for  £  >  card  A.  □ 

Lemma  3.14.  Suppose  A  is  a  pre-skeleton,  7  is  such  that  A  ©  7  is  primitive.  If 
P  is  a  MGU  for  A(A)  then  there  is  a  substitution  7'  such  that  7  =  7'  o  /3.  7'  is 
uniquely  determined  on  the  atoms  mentioned  in  A(A  ©  /3). 

Proof.  Since  A©7  is  primitive,  by  direct  application  of  the  definitions,  for  any  pair 
of  strands  s,  s'  of  A,  such  that  (s  •  7)  o  (s'  •  7)  either  (1)  for  all  i  <  min(/i(s),  /i(s')), 

(4)  term(s  -71*)=  term(s'  •  ^  i  i)  with  matching  direction. 

or  (2)  s  •  7,  s'  •  7  are  not  unifiable.  It  follows  that  for  any  pair  of  strands  s,  s'  of 
A,  such  that  s  o  s'  and  5-7,  s'  •  7  are  unifiable  then  for  all  i  <  min(/i(s),  /i(s')). 
Formula  (4)  holds.  Since  for  any  pair  of  strands  s,  s',  5-7,  s'  •  7  are  unifiable  iff 
s,  s'  are  unifiable,  it  follows  7  unifies  A  (A).  Since  by  hypothesis,  /3  is  a  MGU  for 
A  (A),  the  existence  of  7'  follows  as  well  as  its  uniqueness  on  the  atoms  mentioned 
in  A(A  ©  P).  □ 

Now  we  return  to  the  proof  of  Theorem  3.12.  Referring  to  the  notation  of 
Lemma  3.13,  if  £  exceeds  1  plus  the  number  of  strands  of  A,  then  Ai  is  a  prim¬ 
itive  skeleton  and  ai  =  Pi  o  Pi_i  o  ■  ■  ■  o  Pi  satisfies  the  universality  condition  of 
Theorem  3.12.  This  completes  the  proof  of  the  Theorem.  □ 

Corollary  3.15.  Suppose  A  is  a  pre-skeleton  such  that  AqS  is  a  pseudo-skeleton 
for  some  6.  Then  there  is  a  substitution  a  such  that  A© a  is  a  pseudo-skeleton  and 
which  is  universal  with  respect  to  this  property,  that  is  for  any  a'  such  that  A  ©  a' 
is  a  pseudo-skeleton,  there  is  a  substitution  7  such  that  a'  =  70a  and  a  is  uniquely 
determined  on  the  atoms  mentioned  in  AQ  a. 

The  universal  pseudo-skeleton  AQ  a  is  unique  up  to  renaming  of  variables. 

Proof.  Let  a  be  a  substitution  which  satisfies  the  conditions  of  Theorem  3.12.  In 
particular,  A  ©  a  is  primitive  and  there  is  a  substitution  S'  such  that  5  =  d'  o  a. 
Now  if  s,  s'  are  strand  pairs  in  A  ©  a  such  that  s  o  s',  then  (s  •  S')  o  (s'  •  S').  Since 
by  assumption  A  ©  <5  is  a  pseudo-skeleton,  for  i  <  mm{h{s),h{s')), 

term(s  •  S'  [  i)  =  term(s'  •  <5'  i  t)  with  matching  direction. 

Thus  s,  s'  are  unifiable.  It  follows  that  the  primitive  skeleton  A  ©  a  is  a  pseudo¬ 
skeleton. 

The  uniqueness  properties  follow  immediately  from  the  main  theorem.  □ 
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Definition  3.16.  Pseudo(A)  is  the  minimal  pseudo-skeleton  of  A,  which  equals 
A  ©  a  for  the  a  introduced  in  Corollary  3.15.  (A  ©  a)^  is  the  skeletal  hull  of  A 
denoted  Hull(A). 

Corollary  3.17.  Suppose  A  is  a  pre-skeleton  such  that  there  is  a  homomorphism 
H  of  A  onto  a  skeleton.  Then  the  skeletal  hull  of  A  is  defined.  If  there  is  a  non¬ 
degenerate  H ,  then  the  canonical  map  A  (A  ©  a)o  is  non-degenerate. 

Proof.  This  is  immediate  from  Corollary  3.15.  □ 

3.5.  Substructures,  Liveness. 

Definition  3.18  (Contraction).  A  homomorphism  H  =  [(/),  a] :  A  A'  is  a  con¬ 
traction  if  there  are  distinct  atoms  a,  b  mentioned  in  A  such  that  a  •  a  =  b  ■  a. 

Definition  3.19.  is  an  embedding  if  and  a  are  injective. 

Ao  is  a  substructure  of  A  if  there  exists  an  embedding  H  -.  Aq  ^  A. 

Ao  is  a  trivial  substructure  of  A  if  there  exists  an  embedding  [(/iia]:  Aq  i— >  A  such 
that  (j)  is  surjective.  If  there  is  a  non-surjective  embedding,  then  Aq  is  a  non-trivial 
substructure  of  A. 

Since  pre-skeletons  have  finitely  many  nodes,  there  cannot  be  both  surjective 
and  non-surjective  embeddings.  Observe  that  we  ignore  renaming  in  defining  sub¬ 
structures. 

Proposition  3.20.  If  B  realizes  A,  then  A  is  a  trivial  substructure  o/ skeleton (,6). 

Proof.  The  regular  nodes  and  ordering  of  A  equal  those  of  B,  and  hence  those 
of  skeleton(,B).  Moreover,  unique^  C  unique^^gigjo^^g)  and  non^  C  non5keieton(e),  al¬ 
though  the  inclusions  may  be  proper.  □ 

We  are  interested  in  a  skeleton  Aq  only  if  it  leads  to  a  realizable  skeleton  A. 
Otherwise  Aq  is  a  dead  end:  it  does  not  describe  any  part  of  a  real  bundle.  We 
formalize  this  intuition  by  homomorphisms,  and  say  that  Aq  leads  to  B  if  for  some 
H  and  A,  iJ :  Aq  A  and  B  realizes  A.  We  say  that  Aq  is  live  if  it  leads  to  some 
bundle  B. 


4.  Operations  on  pre-Skeletons 

4.1.  Joins.  In  this  section  we  define  the  union  and  join  of  pre-skeletons  A  and  B. 
These  pre-skeletons  may  intersect,  but  on  the  intersection  they  must  be  compatible 
in  the  following  sense: 

(1)  If  a  strand  s  of  A  has  a  node  in  B,  then  the  entire  strand  s  is  in  B. 

(2)  If  a  node  n  is  in  the  intersection,  term(n)  does  not  depend  on  whether  n  is 
considered  a  node  of  A  or  B. 

(3)  The  order  relations  of  A  and  B  coincide  on  the  intersection. 

The  union  is  denoted  A  U  B.  In  defining  the  join  operation,  we  need  to  specify 
the  nodes  of  AUB,  the  origination  data  unique^uB  nonAuB  and  a  partial  order 
on  the  nodes  of  A  U  B. 

(1)  nodes(A  U  B)  =  nodes(A)  U  nodes(B). 

(2)  uniqueAuB  =  uniqueA  U  unique^. 

(3)  noHAuB  =  noriA  U  noriB. 

(4)  The  partial  order  on  A  U  B  is  the  union  of  the  partial  orders  of  A  and  B. 
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The  union  of  partial  orders  is  a  partial  order,  assuming  clause  3  in  the  compatibility 
conditions  above. 

Definition  4.1.  The  skeletal  hull  o/AUB  if  it  exists  is  the  join  of  A  andM,  denoted 
A  VB. 

Proposition  4.2.  Suppose  A,  B  are  pre- skeletons,  C  is  a  skeleton,  H  =  [</>,  a] 
A  ^  C  and  AT  =  [^/;,  /3]  :  B  — >  C  are  homomorphisms.  Suppose  that  a  and  (3  coincide 
on  atoms  in  the  intersection  of  their  domains,  and  that  <j)  and  if  coincide  on  nodes 
in  the  intersection  of  their  domains.  Then  there  is  a  unique  homomorphism 

J  :  AUB  ^  C 

which  extends  H,  K.  Moreover,  A  V  B  zs  defined  and  J  factors  through  A  V  B.  If 
H,  K  are  non-degenerate,  then  so  is  J . 

Proof.  By  the  assumption  on  the  substitutions,  a  U  /3  is  well-defined.  J  =  {(j>U 
if,aUP)  is  clearly  a  homomorphism  of  skeletons.  The  fact  that  the  skeletal  hull  of 
A  U  B  is  defined  follows  from  Corollary  3.17.  The  fact  that  J  factors  through  the 
skeletal  hull  follows  from  the  universal  property.  □ 

4.2.  Order  Refinement.  Given  a  pre-skeleton  A,  we  can  consider  partial  orders 
which  are  refinements  of  the  partial  order  ^a.  If  is  such  a  partial  order,  let 
A[^*]  be  the  pre-skeleton  in  which  replaces  ^a- 

Given  a  partial  order  ^  on  a  set  T,  a  refinement  of  ^  can  be  obtained  from  a  set 
R  G  I  X  I,  where  (a,  &)  G  R  implies  a  ^  b  and  considering  the  transitive  closure 
Tran(^Ui?)  of  (^Ui?).  Thus  a;  y  iff  there  is  a  finite  sequence  of  pairs 

{(oi,  &i)}i<i<„  of  elements  of  R  such  that  x  ^  y  or  x  <  Oi,  bi  ^  0^+1  and  ^  y. 
The  resulting  relation  is  a  partial  order  iff  there  is  no  sequence  {{at,  fei)}i<i<n  with 
n  >2  such  that  ^  oi. 

We  state  the  previous  fact  in  the  following  lemma: 

Lemma  4.3.  Suppose  4>  :  (X,  ^x)  ^  {J ,  :fij)  is  a  morphism  between  partially 
ordered  sets.  If  R  CTxT,  is  such  that  (j){a)  -<j  4>{b)  but  4>{a)  yf  4>{b)  for  {a,  b)  G  R, 
and  Tran(^xUi?).  Then  </>  is  also  a  morphism  (X, 

Proposition  4.4.  Suppose  H  =  [(f,  a] :  A  ^  M  is  a  non-degenerate  homomorphism 
of  pre- skeletons,  R  C  nodes(A)  x  nodes(A)  and  di*=  Tran(^AUi?).  If  (j){n) 
4>{m)  for  every  {n,m)  G  R  then  H  =  [4>,a]-.  A[^*]  ^  B  is  also  a  non-degenerate 
homomorphism  of  pre- skeletons. 

Proof.  The  only  structural  change  to  A  is  its  pre-order  and  the  result  follows  from 
the  lemma.  □ 

4.3.  Augmentations.  An  augmentation  to  A  is  the  result  of  joining  a  single  role 
instance  to  A,  followed  by  an  order  refinement.  We  use  the  origination  data  of  the 
protocol  (Definition  2.1)  to  determine  the  uniquely  originating  and  non-originating 
values  of  the  result. 

Definition  4.5.  Let  H  be  a  protocol,  let  r  be  a  role  ofH,  and  let  a  be  a  substitution. 
The  role  skeleton  of  r  under  a  up  to  height  i,  written  is  the  skeleton  A 

where:  R^  is  the  singleton  of  the  strand  s  =  r  •  a;  /ia(s)  =  i;  s  I  j  ^a  s  I  k  iff 
j  <  k;  nonA  =  (jir  ■  a);  and  unique^  =  {ur  ■  a). 

Suppose  A'  =  (AV  is  well-defined;  let  R  C  nodes(A')  x  nodes(A');  and  let 

Tran(^A'  Ui?).  H  is  an  augmentation  if  it  is  the  canonical  H :  At-^  A'[^*]. 
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If  R  is  of  the  form  {(no,  wq),  (m-i,  n-i)}  where  no  ni  and  m-o  =^~'’  mi  on  r  •  a, 
then  we  write  in  the  form 

If  R  is  of  the  form  {(TOi,ni)}  where  ni  €  nodes(A)  and  mi  lies  on  r  •  a,  then  we 
write  A'[^*]  in  the  form 

Proposition  4.6.  Suppose  A  is  a  pre-skeleton,  <C  is  a  skeleton,  H :  A  C  and 
K :  1-^  C  are  non-degenerate  homomorphisms.  Suppose  also  that  the  sub¬ 

stitution  components  of  H,  K  agree  on  the  common  part  of  their  domains.  Then 
B  =  A  V  is  well-defined. 

Let  Jo  he  the  canonical  map  Jo  :  AU  i— >  B  and  let  Ji  =  [(j),  [3]  extend  H,  K. 

If  R  C  nodes(B)  x  nodes(B)  such  that  {n,m)  G  R  implies  4>{n)  4>{m),  then 

Ji  =  J3  o  J2,  where  J2 :  B  B[^*]  and  ^*=  Tran(^B  Ui?). 

Proof.  Immediate  from  Propositions  4.2  and  4.4.  □ 

Proposition  4.7.  Suppose  that  A  is  a  skeleton  and  B  =  AV  is  well-defined, 

where  and  fr  are  the  canonical  maps  into  B.  Suppose  (pA  and  pr  have  disjoint 
range,  and  let  4>  =  (pA^  4'r-  If  m  €  range(^j.)  and  n  G  range((/)A),  and 
Tran(^B  U{(m,  n)}),  t/ien  B[^*]  is  a  skeleton. 

If  no  :<A  ni  and  mo  mi,  and 

^♦=  Tran(^B  U{{(j){no) ,  (j){mo)) ,  {(j){mi) ,  pim))}) , 

then  B[^*]  is  a  skeleton. 

Proof.  In  both  cases,  observe  that  the  transitive  closure  is  acyclic.  □ 

Proposition  4.8.  If  an  augmentation  H  =  [cl),a\  \  A  ^  A'  is  a  contraction,  then 
4>{Rtk)  =  Ra',  *-e.  every  strand  in  A'  is  of  the  form  (j){s)  for  some  strand  s  in  A. 

Proof.  Let  A'  =  AV  Since  iJ  is  a  contraction,  then  there  are  two  atoms 

a,  b  mentioned  in  A  such  that  a  ■  a  =  b  ■  a.  This  occurs  only  if  there  are  distinct 
strands  s,  s'  such  that  so  s'.  Since  A  is  a  skeleton,  s,  s'  cannot  both  be  in  A.  Hence 
one  (say  s)  is  in  and  as  this  is  a  singleton,  the  other  s'  is  in  A.  Thus  in 

(A  U  we  identify  the  strand  s  with  some  s'  already  in  A.  □ 

When  i,  the  height  of  s,  is  greater  than  hA{s'),  then  A'  has  additional  nodes  on 
this  strand,  even  though  it  does  not  have  any  fully  new  strands.  The  converse  of 
this  proposition  is  clearly  false. 


5.  Safety 

Fix  some  protocol  H  for  this  section,  so  that  a  bundle  means  a  bundle  over  H 
(Definition  2.1).  In  particular,  we  assume  that  any  bundle  satisfies  the  origination 
data  and  key  constraints  for  H.  An  atom  is  safe  in  a  skeleton  A  if  its  image  is  not 
disclosed  in  any  bundle  reached  from  A.  We  regard  a  bundle  B  as  reachable  from  A 
if  there  is  a  homomorphism  from  A  to  skeleton  (,8),  and  moreover  the  homomorphism 
is  non-degenerate  in  the  sense  that  it  does  not  destroy  points  of  unique  origination. 
!!!! 
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Definition  5.1  (Safe  Atoms),  a  G  Safe  (A)  just  in  case,  for  every  non-degenerate 
homomorphism  H  =  [4>,a]  and  bundle  B,  z/ iJ :  A  i— >  skeleton(,B),  then  there  is  no 
n  G  B  such  that  term{n)  =  a  •  a. 

In  particular,  when  a  =  AT  is  a  key,  K  ■  a  is  not  used  in  B  for  encryption  or 
decryption  on  any  penetrator  E  or  D  strand  (Appendix  A,  Definition  A. 4).  By  the 
definition,  safety  is  preserved  under  non-degenerate  homomorphisms  that  preserve 
liveness: 

Proposition  5.2.  If  a  G  Safe(Ao)  and  the  homomorphisms  H :  Aq  i—>-  Ai  is  non¬ 
degenerate,  then  a  •  an  G  Safe(Ai). 

We  are  interested  in  a  skeleton  only  when  a  bundle  is  reachable  from  it,  and 
bundles  always  respect  the  origination  data  Ur,nr  of  roles  of  the  protocol  (Defi¬ 
nition  2.1).  Hence,  we  may  assume  that  skeletons  do  too  {Ra  refers  here  to  the 
strands  contained  in  the  skeleton  A  as  in  Definition  3.1): 

Proposition  5.3.  Suppose  that  s  =  r -a  and  s  G  Ra-  Let  non'  =  nonAU(nr-Q;)  and 
unique'  =  unique,^U(Mi.-a);  let  A'  =  {Ra,  La,  Aa,  non',  unique');  and  let  Hq-  A  i— >  A' 
be  the  embedding  of  A  into  A'.  Every  homomorphism  H :  A  skeleton  (,8)  is  of  the 
form  Hi  o  Hq.  In  particular,  a  G  Safe(A)  if  a  G  Safe(A'). 

5.1.  Establishing  Safety.  In  [4,  Propositions  16,  17]  we  provided  (essentially)  a 
recipe  for  proving  by  induction  that  particular  atoms  are  safe,  which  we  simplify 
and  extend  here.  Suppose  that  we  have  a  skeleton  A;  we  want  to  define  inductively 
a  set  of  atoms  that  will  be  safe  in  A.  For  the  base  case,  a  G  nonA  suffices.  For  the 
induction  step,  suppose  a  G  uniqueA  and  consider  regular  strands  s.  If  a  C  to  C  s  i  * 
and  to  originates  at  s  J,  z,  then  to  may  make  a  vulnerable,  unless  a  is  always  wrapped 
using  a  key  whose  inverse  is  already  known  to  be  safe.  If  every  strand  that  originates 
some  to  with  a  C  to  wraps  it  in  a  key  with  safe  inverse,  however,  then  a  will  be  safe 
at  the  next  level.  More  formally: 

Definition  5.4.  Let  unique,  non,  used  be  sets  of  atoms,  let  H  be  a  set  of  regular 
strands,  and  tet  /i  :  S  ^  N  be  a  height  function  for  S. 

Suppose  S  is  a  set  of  atoms.  Define  F(S')  to  be  the  set  of  encrypted  terms 
{  {\t\jK-  K~^  e  S'  }.  Define  A(unique,  non,  used,  S, /i)(S)  to  be  the  set  of  atoms  a 
such  that  either  a  G  non  or  else: 

(1)  a  G  unique; 

(2)  a  G  used;  and 

(3)  for  all  s  GYi  and  j  such  that  j  <  h{s)  and  s  I  j  is  positive,  if  for  all  k  <  j, 
a  occurs  only  within  F(S)  in  s  I  k,  then  a  occurs  only  within  F(S)  in  s  [  j. 

Define  Safe_ind(A,  S,  tz)  to  be  the  least  fixed  point  o/ A(uniqueA,  nonA,  usedA,  D,  ft,), 
where  usedA  is  the  set  of  a  such  that  a  originates  on  some  n  G  A. 

If  B  be  a  bundle  and  A  =  skeleton(8),  then  Safe_ind(8)  =  Safe_ind(A,  S,  ft), 
where  S  =  Ra  is  the  set  of  strands  in  A,  and  h  =  La  is  its  height  function. 

Proposition  5.5.  IfaG  Safe_ind(8),  then  there  is  no  n  G  B  such  that  term{n)  =  a. 

Proof.  As  in  [4,  Proposition  17].  □ 

In  inferring  that  values  are  safe  in  a  skeleton  A,  we  need  only  worry  about  regular 
strands  s  that  could  appear  in  some  bundle  B  such  that  H :  A  skeleton(8). 
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Thus,  we  may  assume  that  s  respects  the  non-origination  and  unique  origination 
conditions  of  A,  and  uses  keys  in  a  way  compatible  with  the  key  constraints  of 
regular  strands  already  in  A. 

Definition  5.6.  A  regular  strand  s  =  r  ■  (3  is  compatible  with  A  if  (1)  for  all 
b  G  noriA,  b  does  not  originate  on  s;  (2)  for  all  b  G  unique^,  if  b  originates  on 
any  n  G  A,  then  b  does  not  originate  on  s;  (3)  the  key  constraints  of  s  are  jointly 
satisfiable  with  those  of  A.  C(A)  =  {s:  s  is  compatible  with  A}. 

C(A)  is  important  because  these  are  the  only  regular  strands  that  need  to  be 
added  in  building  up  bundles  that  A  leads  to: 

Proposition  5.7.  If  H :  (A  V  skeleton(,8),  then  H  =  H2  o  Hi  where  Hi 

is  either  Hi:  (A  V  A  •  a  or  else  Hi:  (A  V  1— >  (A  V  •S?’ S’ where 

r  ■  "f  G  C(A). 

Proposition  5.8.  S  C  S'  implies  Safe_ind(A,  S', /i)  C  Safe_ind(A,  S,  (ft,|S)). 

Proof.  By  the  form  of  Clause  3  in  Definition  5.4,  if  (3)  holds  for  a  larger  S',  then 
it  holds  a  fortiori  for  a  smaller  S.  That  is,  S  C  S'  implies 

A(unique,  non,  used,  S',  h){S)  C  A(unique,  non,  used,  S,  h){S). 

Since  A(unique,  non,  used,  S,  h)  is  monotone  and 

S  C  A(unique,  non,  used,  S,  h){S), 

the  inclusion  is  preserved  under  the  least  fixed  point.  □ 

Proposition  5.9.  Safe_ind(A,  S, /i)  C  Safe_ind(A-Q;,  S-o, where  h'{s-a)  = 
h{s). 

Proof.  Let  A  =  A(unique,  non,  used,  S,  h)  and 

A'  =  A(unique  •  a,  non  •  a,  used  •  a,  S  •  a,  ft,'), 

where  ft'  is  the  height  function  for  S  •  a  such  that  ft'(s  •  a)  =  ft(s)  for  s  €  S. 
A(r  •  a~^)  C  A'(T)  -  a.  If  T  is  a  fixed  point  of  A',  then  T  ■  a~^  is  a  fixed  point  of 
A.  Thus,  for  T  the  least  fixed  point  of  A',  T  is  a  fixed  point  of  A,  hence  includes 
the  least  fixed  point  of  A.  □ 

Proposition  5.10.  Suppose  that  H :  A  1-^  skeleton(,B)  is  non-degenerate,  and 
a  G  Safe_ind(A,C(A),  ft),  where  h  is  a  height  function  for  C{A).  Then  a  ■  an  G 
Safe_ind(,8),  and  in  particular  a  G  Safe(A). 

Proof.  Follows  from  applications  of  Propositions  5. 8-5. 9.  □ 

5.2.  Safe  Keys  in  Yahalom.  We  can  now  use  the  method  described  in  Proposi¬ 
tion  5.10  to  infer  that  session  keys  are  safe  in  the  Yahalom  protocol. 

Proposition  5.11.  If  s  G  Serv[A,  B ,  Ka,  Kb,  Na,  Nb,  K]  and  ftA(s)  =  3,  then 
K  G  Safe(A). 

Proof.  By  Proposition  5.3,  we  may  assume  that  Ka,Kb  G  nonA  and  K  G  uniqueA. 
Suppose  that  s'  G  C(A)  and  K  to  term(s'  J,  j),  where  to  originates  at  s'  J,  j. 
Then  by  the  definition  of  the  Yahalom  protocol,  this  must  be  the  second  or  third 
node  on  a  server  strand.  Since  K  G  uniqueA,  ~  '®-  J  ~  2,  then  K  occurs 
only  within  the  singleton  {jS  "  K  "  Na  "  and  Ka  G  hoha.  If  j  =  3,  then 

K  occurs  only  within  the  singleton  and  Kb  G  hoha.  Thus,  K  G 

Safe_ind(A,C(A),  ft),  and,  by  Proposition  5.10,  K  G  Safe(A).  □ 
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5.3.  Providing  Protection  for  Atoms. 

Definition  5.12  (Protection).  S  offers  export  protection  for  A  if  every  t  G  S  is 
of  the  form  {Itollic  where  K~^  €  Safe(A).  S  offers  import  protection  for  A  if  every 
t  G  S  is  of  the  form  {|to|}if  where  K  G  Safe(A). 

Thus,  S  offers  export  protection  for  A  if  S'  C  r(Safe(A)),  where  P  is  as  in  Defi¬ 
nition  5.4.  Protection  is  preserved  under  homomorphisms  that  preserve  liveness: 

Proposition  5.13.  Suppose  that  H :  Aq  Ai,  and  H' :  Ai  skeleton(,B) .  If 
S  offers  export  (respectively,  import)  protection  for  Aq,  then  S  •  an  offers  export 
(resp.  import)  protection  for  Ai. 

6.  The  Authentication  Tests 

The  authentication  tests  tell  us  that  certain  regular  nodes  exist  in  bundles.  The 
statements  here  are  stronger  and  simpler  than  previous  versions  [4,  2].  Again  fix 
some  protocol  11,  and  consider  only  bundles  over  11. 

6.1.  The  Outgoing  Authentication  Test.  Export  protection  means  that  a  value 
is  used  within  an  encrypted  unit  from  which  only  regular  participants  can  retrieve 
contents  (Definition  5.12). 

Definition  6.1  (Outgoing  Transformed  and  Transforming  Edges).  Regular  nodes 
no,ni  G  A  form  an  outgoing  transformed  edge  for  a,S,A  if  (1)  S  provides  export 
protection  for  A;  (2)  a  G  unique^^  originates  at  no  and  occurs  only  within  S  in 
termfno);  and  (3)  a  occurs  outside  S  in  termfni). 

Strand  s  is  an  outgoing  transforming  edge  for  a,  S  from  j  to  i  if  (1)  s  [  j  is  the 
earliest  occurrence  of  a  on  s;  (2)  s  I  i  is  the  earliest  node  on  s  on  which  a  occurs 
outside  S;  (3)  s  I  i  is  positive,  and  s  I  j  is  negative  unless  a  originates  at  s  [.  j. 

Unless  a  originates  on  s  J,  j,  from  (3)  it  follows  that  i  yf  j  on  an  outgoing 
transforming  edge,  so  from  (1)  and  (2)  it  follows  that  j  <  i  and  a  occurs  only 
within  S'  on  s  I  j. 

Proposition  6.2  (Outgoing  Authentication  Test).  Ifno,ni  G  B  form  an  outgoing 
transformed  edge  for  a,  S,  skeleton(,B),  then  there  exist  s,j,  i  such  that  s  I  i  G  B  and 
s  is  an  outgoing  transforming  edge  for  a,  S  from  j  to  i. 

Moreover,  letting  s  J,  j  =  toq  and  s  J,  i  =  mi,  no  mo  mi  ni; 
a  C  termfmf);  and  for  all  m  ''cio;  o,  occurs  only  within  S  in  m. 

Proof.  Let  T  =  {m  G  B:  a  occurs  outside  S  in  term(m)  and  m  ni}.  T  is  non¬ 
empty  because  ni  G  T.  By  Proposition  A. 3,  T  has  ^g-minimal  members,  so  let  mi 
be  minimal  in  T.  We  show  first  that  if  mi  is  regular,  then  the  proposition  is  true, 
and  next  that  mi  is  in  fact  regular,  because  it  cannot  lie  on  a  penetrator  strand. 

Assume  mi  is  regular:  a  does  not  originate  at  mi,  because  it  originates  uniquely 
at  no  and  mi  yf  no.  Thus,  there  is  mo  mi  such  that  a  C  term(mo),  and  we 
may  choose  mo  to  be  the  earliest  such  node.  Let  j,i  be  the  indices  of  mo,  mi  on 
their  common  strand  s.  Condition  (1)  is  thus  satisfied,  and  condition  (2)  is  satisfied 
by  the  minimality  of  mi  in  T.  By  [7,  Lemma  2.8],  mi  is  positive.  If  mo  is  positive, 
then  it  is  a  point  of  origination  for  a,  i.e.  mo  =  no,  so  that  condition  (3)  is  also 
true. 

Does  mi  lie  on  a  penetrator  strand:  Since  a  originates  uniquely  at  the  regular 
no,  mi  is  not  a  M  or  K  node.  By  the  minimality  of  mi,  it  does  not  lie  on  a 
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“constructive”  E  or  C  strand.  Since  S'  is  a  set  of  encryptions,  minimality  of  mi 
implies  mi  does  not  lie  on  a  S  strand.  However,  if  mi  is  the  third  node  of  a  D 
strand,  then  the  second  node  has  term  {|/i|}ic  G  S  and  the  first  node  contains  K~^, 
contradicting  the  assumption  that  S  provides  export  protection  for  skeleton (6). 

By  [7,  Lemma  2.9],  no  toq;  by  the  definition  of  T,  mi  ni;  by  the  mini¬ 
mality  of  mi  in  T,  m  :<i3  mo  ^g  mi  implies  a  occurs  only  with  S  in  term(m).  □ 

6.2.  Outgoing  Tests  for  the  Yahalom  Protocol.  The  Yahalom  protocol  as 
described  in  Figure  2  may  be  proved  correct — from  B's  point  of  view — using  the 
outgoing  test  principle.  Evidently  the  fresh  value  is  Nf,,  which  must  be  transformed 
by  a  server  strand  to  escape  from  B  "  {|H  "  Na  "  The  server  embeds  it 

within  some  term  of  the  form  {\B  "  K  "  Na  "  N^W-Kaj  an  initiator  strand  will  be 
needed  to  allow  it  to  escape  from  this  form,  and  achieve  the  {|lVb[}K  form  in  which 
B  finally  receives  it  back.  The  subtlety  comes  in  checking  what  we  know  about 
which  variables  must  match. 

We  may  start  by  assuming  that  a  bundle  B  contains  a  responder  strand  of 
height  4,  which  we  assume  to  have  the  parameters  named  in  Figure  2;  Ka,Kb  are 
non-originating,  and  fVf,  is  uniquely  originating.  We  also  assume  Nh  yf  Na-  Thus, 
Sr  [2  Sr  i  4  is  an  outgoing  transformed  edge  for  a,  various  choices  of  set  S, 
and  skeleton (,B).  As  our  first  choice  of  S,  we  select 

5i  =  {{\B  Nb\}KA  --K'  is  a.  key}  U  {{|A  ^  iV„  ^  Nb\^Ks }• 

This  set  provides  export  protection  because  we  have  assumed  that  the  symmetric 
keys  Ka,Kb  are  non-originating.  Since  Sr  }  4  contains  Nb  outside  of  ^i,  there  is  a 
regular  transforming  edge  that  receives  Nb  only  within  Si  and  emits  Nb  outside  ^i. 
Taking  cases  on  the  roles  of  the  protocol,  this  is  an  initiator  strand  Si  of  ,B-height 
3,  with  parameters  A,  B,  Na,  Nb,  K'  for  some  key  K' . 

Moreover,  the  pair  of  nodes  Sr  }  2,  Si  }  3  is  also  a  transformed  edge,  this  time 
for  the  set 

S2  =  {U^  Na^  Nb'^Ks}- 

Here  we  may  infer  (by  cases)  that  there  is  a  server  strand  Ss  of  ,B-height  2,  also 
with  parameters  A,  B,  Na,  Nb,  K'  for  the  same  key  K' . 

Since  K'  originates  here  in  the  forms  {\B  "  K'  "  Na  "  {\A  "  K'^Kbj 

with  Ka,Kb  are  non-originating,  and  no  role  transforming  a  term  containing  a 
key,  K'  is  safe. 

If  K'  yf  K,  then  we  may  apply  the  outgoing  authentication  test  principle  to  the 
set 

^3  =  {{\B  ^K'^Na^  Mka}  U  {P  '  Na  '  Nb\}  K  s}  U 

Since,  taking  cases  on  the  roles  of  the  protocol,  there  is  no  transforming  edge  for 
So,  we  refute  the  assumption  K'  yf  K.  That  is,  identifying  K'  =  K  is  the  only  way 
to  explain  how  B  is  possible. 

By  two  positive  and  one  negative  application  of  the  outgoing  authentication  test 
principle,  we  have  proved  the  presence  of  initiator  and  server  strands  with  the  right 
parameters.  Observe  that  we  considered  Si  and  S2  in  reverse  order,  in  the  sense 
that  Nb  reaches  the  strand  introduced  by  S'2  before  it  reaches  the  strand  introduced 
by  5*1. 
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6.3.  The  Incoming  Authentication  Test.  Import  protection  means  that  a  value 
is  used  within  an  encrypted  unit  that  only  a  regular  participant  can  create  (Defi¬ 
nition  5.12). 

Proposition  6.3  (Incoming  Test  Principle).  Suppose  ni  G  B  is  negative,  t  C 
term{ni),  and  the  singleton  set  {t}  offers  import  protection  for  skeleton(,B).  There 
exists  a  regular  mi  -<  ni  such  that  t  originates  at  mi.  Moreover: 

Solicited  Incoming  Test:  If  a  t  originates  uniquely  on  no  mi,  then 
no  ^  niQ  iTii  -<  ni- 

Proof.  Let  T  =  {m  G  B:  t  term(ni)  and  m  ni}.  T  is  nonempty  because 
ni  G  T,  and  thus  contains  a  minimal  node  mi.  By  the  definition  of  T,  mi  ni. 
Since  {f}  provides  import  protection  for  skeleton (,B)  .  t  =  where  K  is  safe  for 

skeleton(6). 

Node  mi  does  not  lie  on  a  penetrator  strand:  mi  does  not  lie  on  a  M  or  K  node 
because  t  is  not  a  subterm  of  an  atom.  No  term  originates  on  a  “destructive”  D  or 
S  strand.  Since  t  is  an  encryption,  it  does  not  originate  on  a  C  strand.  If  t  =  {|fi|}ic 
originates  on  the  positive  (third)  node  of  a  E  strand,  then  the  first  node  has  term 
K,  contradicting  the  safety  of  K. 

If  in  addition  a  t  originates  uniquely  on  no  mi,  then  there  is  a  toq  mi 
with  a  C  term(mo).  By  [7,  Lemma  2.9],  either  mo  is  itself  the  point  of  origination 
no  or  else  no  -<  mo,  whence  no  ^  toq-  D 

For  convenience,  we  refer  to  ni  (or  (no,ni)  in  the  case  of  a  solicited  incoming 
test)  as  an  incoming  transformed  edge,  and  to  mi  (or  mo  mi  if  solicited)  as  an 
incoming  transforming  edge. 

6.4.  Incoming  Tests  for  the  Yahalom  Protocol.  The  Yahalom  protocol  also 
uses  solicited  incoming  tests  to  provide  the  initiator  with  its  guarantee.  The  fresh 
value  is  Na,  which  must  be  transformed  by  a  server  strand  to  enter  the  form 
{\B  "  K  "  Na  "  Nh\fKA-  The  server  embeds  it  within  some  term  of  this  form, 
but  a  responder  strand  must  previously  have  put  Na  in  the  form  {|A  "  Na  " 

We  may  start  by  assuming  that  a  bundle  B  contains  an  initiator  strand  Si  of 
height  3,  which  we  assume  to  have  the  parameters  named  in  Figure  2;  Ka,Kb 
are  non-originating,  and  Na  is  uniquely  originating.  Now  we  apply  the  solicited 
incoming  test  to  node  ni  =  Si  [  2,  term  t  =  {|i?  "  K  "  Na  "  atom  a  =  Na, 

and  originating  node  no  =  Si  [.  1.  The  edge  mg  mi  can  now  only  lie  on  a  server 
strand  Sg  with  parameters  A,  B,  Na,Nh,  K. 

We  now  apply  the  solicited  incoming  test  to  the  server’s  node  ni  =  Sg  J,  2,  term 
t  =  {\A"  Na"  still  retaining  a  =  Na  and  ng  =  si  J,  1.  Taking  cases  on  the 

roles  of  the  protocol,  we  infer  that  there  is  a  responder  strand  of  ,B-height  at  least 
2,  and  parameters  A,  B,  Na,  Ni,,  K' ,  where  K'  is  undetermined. 

7.  The  Authentication  Tests  and  Homomorphisms 

7.1.  Outgoing  Tests  and  Homomorphisms.  We  may  regard  the  outgoing  au¬ 
thentication  test  as  telling  us  how  to  extend  a  skeleton,  in  case  it  contains  outgoing 
transformed  edges  with  no  outgoing  transforming  edges.  However  we  embed  the 
skeleton  into  a  bundle,  we  will  have  to  add  a  suitable  transformed  edge.  We  call  this 
process  an  augmentation.  An  augmentation  adds  a  strand  (or  an  initial  sub-strand) 
to  supply  a  transforming  edge  for  some  existing  transformed  edge,  as  dictated  by 
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Proposition  6.2.  An  augmentation  is  a  homomorphism  embedding  the  skeleton  into 
a  larger  one. 

In  order  to  carry  out  this  idea,  though,  we  must  resolve  a  fine  point.  If  iJ  = 
[(/),  a]:  Aq  Ai  and  no,ni  €  Aq  form  an  outgoing  transformed  edge  for  a,  S',  Aq, 
one  would  like  (j){no),  (j){ni)  to  form  an  outgoing  transformed  edge  for  a  -  a,  S-  a,  Ai. 
Otherwise,  the  transforming  edge  we  add  to  resolve  it  may  turn  out  to  be  superflu¬ 
ous.  Likewise,  if  mg,  mi  form  a  transforming  edge,  we  would  like  (/)(too),  to  do 

so  also.  Otherwise,  adding  this  edge  did  not  permanently  resolve  the  transformed 
edge  that  it  was  meant  to. 

Proposition  7.1  (Outgoing  preservation).  Let  H  =  [((),a]:  A  A'  be  non¬ 
degenerate. 

(1)  Suppose  that  no,ni  G  A  form  an  outgoing  transformed  edge  for  a,  S,  A.  If 
a  occurs  outside  {S  ■  a)  ■  in  term{ni),  then  no,ni  form  an  outgoing 
transformed  edge  for  a,  (S  •  a)  •  q;“^,  A. 

Hence  4>{nif) ,  (j){ni)  form  an  outgoing  transformed  edge  for  a- a,  S  ■  a,  A' . 

(2)  Suppose  s  is  a  transforming  edge  for  a,S  from  j  to  i.  If  a  occurs  outside 
{S  ■  a)  •  a~^  in  term{s  J,  i),  then  s  is  a  transforming  edge  for  a,  (S  ■  a)  ■  a~^ 
from  j  to  i. 

Hence,  4>{s)  is  a  transforming  edge  for  a  •  a,S  •  a  from  j  to  i. 

Indeed,  if  S  is  closed  under  identifications  made  by  a,  then  a  does  occur  outside 
{S  •  a)  •  in  the  terms  term(ni)  and  term(s  J,  i). 

Definition  7.2.  If  no,  ni  form  an  outgoing  transformed  edge  for  a,  S,  A  and  s  is  an 
outgoing  transforming  edge  for  a,  S  from  j  to  i,  and  no  s  i  J  =^''’  s  J,  i  ^a  ni, 
then  s  is  an  outgoing  solution  for  no,ni  and  a,  S,  A. 

Definition  7.3.  Suppose 

and  iJ  =  [^,  /3] :  A  I— >  A'  is  the  augmentation  map. 

H  is  an  outgoing  augmentation  for  no,ni  and  a,  S,  A  if  (1)  no,ni  €  A  form 
an  outgoing  transformed  edge  for  a,  S,  A;  (2)  (j){r)  is  an  outgoing  solution  for 
4>{no),  4>{ni)  and  {a-j3,  S-j3,A');  and  (3)  there  is  no  outgoing  solution  for  (f^no) ,  4>{ni) 
and  {a  -  j3,S  ■  ft,  A')  in  the  image  of  A  under  </>. 

Fix  some  protocol  11.  A  contraction  (Definition  3.18)  is  a  homomorphism  that 
identifies  distinct  atoms. 

Proposition  7.4  (Finite  Outgoing  Splitting).  Suppose  A  contains  an  outgoing 
transformed  edge  no,ni  for  a,S,A  with  no  solution.  There  exist  a  finite  number 
of  outgoing  augmentations  i7i,...,i7fe  such  that  every  homomorphism  H :  A 
skeleton (6)  begins  with  a  contraction,  or  with  one  of  the  Hi  with  1  <  i  <  k. 

Proof.  Suppose  a  homomorphism  H  =  [(j),  a\  is  a  contraction.  Then  it  certainly 
begins  with  a  contraction.  Otherwise,  it  identifies  no  values  mentioned  in  A.  In 
this  case,  (/'(ng),  (t>{ni)  is  an  outgoing  transformed  edge  for  {a-a,S  -a,  skeleton(,B)). 
By  Proposition  6.2,  skeleton(,B)  contains  an  outgoing  solution  s'  for 
and  {a  -  a,  S  ■  a,  skeleton(,B)).  This  s'  is  not  the  image  of  any  s  G  A,  as  s  would  then 
be  a  solution  in  A.  Thus,  H  begins  with  an  outgoing  augmentation. 

To  see  that  finiteness  holds,  there  are  only  finitely  many  roles  in  11,  and  s  =  r  ■  (3 
for  one  of  these  roles  r.  Only  finitely  many  (3  need  be  considered,  as  (3  is  determined 
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by  which  atoms  in  r  are  identified  with  atoms  mentioned  in  A,  and  which  atoms  in 
r  that  are  not  mentioned  in  A  are  identified  with  each  other.  □ 

Indeed,  for  a  large  number  of  protocols,  there  is  a  single  augmentation  Hi  that 
suffices,  and  every  non-contracting  homomorphism  mapping  A  to  a  realizable  skele¬ 
ton  factors  through  Hq.  We  recommended  this  as  a  protocol  design  criterion  in  [4, 
Section  6.3]  and  incorporated  it  as  part  of  a  protocol  design  methodology  in  [3, 
Section  8].  Some  protocols  violate  this  advice  (or  the  corresponding  advice  for 
incoming  augmentations),  and  are  known  to  be  flawed  [4]. 

7.2.  Incoming  Tests  and  Homomorphisms. 

Definition  7.5.  Suppose  rii  €  A  is  negative,  t  C  term(jii),  and  the  singleton  set 
{t}  ojfers  import  protection  for  A.  In  this  case,  we  callni  an  incoming  transformed 
node.  A  strand  s  is  an  incoming  solution  for  ni,t,A  if  t  originates  on  s  [  i  &  A. 

Definition  7.6.  Suppose 

A'=AVM“’V^n. 

and  H  =  [(p,  P]:  A  1-^  A'  is  the  augmentation  map. 

H  is  an  incoming  augmentation  for  ni,t,A  if  (1)  s  is  an  incoming  solution  for 
no,t,A;  and  (2)  there  is  no  incoming  solution  for  4>{ni),t  •  P,A'  in  the  image  of  A 
under  <j). 

Proposition  7.7  (Finite  Incoming  Splitting).  Suppose  A  contains  an  incoming 
transformed  node  ni  with  no  solution.  There  exist  a  finite  number  of  incoming 
augmentations  Hi, . . . ,  Hj.  such  that  every  homomorphism  H :  A  skeleton(S) 
begins  with  a  contraction,  or  with  one  of  the  Hi  with  1  <  i  <  k. 

8.  Conclusion 

There  are  evidently  many  additional  questions  one  would  like  to  ask  in  this  frame¬ 
work.  For  instance,  can  every  realizable  skeleton  be  found  in  a  systematic  way  using 
incoming  and  outgoing  augmentations,  and  perhaps  another  kind  of  augmentation? 
Is  there  a  class  of  protocols  for  which  the  search  process  of  augmenting  necessar¬ 
ily  terminates?  How  can  one  implement  the  operations  described  here  so  that  a 
mechanical  tool  can  enumerate  the  shapes  of  bundle  permitted  by  a  given  bundle? 
These  questions  will  be  considered  in  future  work. 
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Appendix  A.  Strand  Spaces 

Definition  A.l.  A  directed  term  is  a  pair  {a,t)  with  t  €  A  and  a  one  of  the 
symbols  +,  — .  We  will  write  a  directed  term  as  +t  or  —t.  (±A)*  is  the  set  of  finite 
sequences  of  directed  terms.  A  strand  space  over  A  is  a  set  S  with  a  trace  mapping 
tr  :  S  ^  (±A)*.  We  assume  that  S  is  closed  under  substitution;  i.e.  if  a  is  a 
substitution  and  s  G  S  is  a  strand  with  trace  ((cri,  ti), . . . ,  (cr„,  t„))  then  there  exists 
s[a]  €  S  with  trace  ((ai,  ,  ((t„,  t„[a])).  Fix  a  strand  space  S; 

(1)  A  node  is  a  pair  (s,t),  with  s  G  T,  and  i  such  that  1  <  i  <  length{tr{s)) . 
The  set  of  nodes  is  denoted  by  Af.  We  also  refer  to  (s,  i)  as  s  I  i. 

(2)  The  subterm  relation  C  is  defined  inductively,  as  the  smallest  transitive, 
reflexive  relation  such  that  t  \Z  {|(/|}a:  if  t  tG  g,  and  tGg"h  if  t\Zg  or 
t  \Z  h.  (Hence,  K  C  {|(/|}a:  only  if  K  tZ  g  already.) 

(3)  Suppose  I  is  a  set  of  terms.  The  node  n  G  M  is  an  entry  point  for  I  iff 
term{n)  =  +t  for  some  t  G  I,  and  whenever  n'  n,  termin')  ^  I. 

(4)  An  term  t  originates  on  n  G  Af  iff  n  is  an  entry  point  for  I  =  {t'  :  t  G  f}. 

(5)  An  term  t  is  uniquely  originating  in  S  C  Af  iff  there  is  a  unique  n  G  S  such 
that  t  originates  on  n,  and  non-originating  if  there  is  no  such  n  G  S. 

If  a  term  t  originates  uniquely  in  a  suitable  set  of  nodes,  then  it  can  play  the 
role  of  a  nonce  or  session  key.  If  it  is  non-originating,  it  can  serve  as  a  long¬ 
term  secret,  such  as  a  shared  symmetric  key  or  a  private  asymmetric  key.  Af 
together  with  both  sets  of  edges  ni  ^  n2  (message  transmission  from  positive  to 
negative  node)  and  ni  n2  (succession  on  the  same  strand)  is  a  directed  graph 
(Af,  (^  U  =^>)).  A  bundle  is  a  subgraph  of  (Af,  (^  U  =^))  for  which  the  edges 
express  causal  dependencies  of  the  nodes. 

Definition  A. 2.  Suppose  C  suppose  C  and  let  B  =  {Nb,{^b 
U  =^e))  be  a  finite  acyclic  subgraph  of  {Af,  {-^  U  =^)).  B  is  a  bundle  if: 

(1)  If  n2  G  AAb  ond  term{n2)  is  negative,  then  there  is  a  unique  ni  such  that 
ni  —^B  R2- 

(2)  If  n2  G  Nb  and  ni  n2  then  ni  =^b  R2- 

A  node  n  is  in  a  bundle  B  =  {AIb^^B  U  =^b),  written  n  G  B,  if  n  G  Afg.  The 
,8-height  of  a  strand  s  is  the  largest  i  such  that  {s,i)  G  B.  If  S  is  a  set  of  edges, 
i.e.  S  U  then  is  the  transitive  closure  of  S,  and  fl-s  is  the  reflexive, 

transitive  closure  ofS. 

Proposition  A. 3.  If  B  is  a  bundle,  :<b  is  a  partial  order.  Every  non-empty  subset 
of  the  nodes  in  B  has  :<b -minimal  members. 

Definition  A. 4.  A  penetrator  strand  is  one  of  the  following: 

Mt:  {-\-t)  where  t  Gtext  Kk:  (+A) 

Q,/i-  {-g,  -h,  +g  "  h)  Sg^h--  {-g  ^  h,  -Gg,  -Gh) 

Eh,K:  {—K,  —h,  +{|/i|}a:)  D/i.a-  —f\h\)K,  +h). 


